schlumberger pki /corporate badge deployment schlumberger pki /corporate badge deployment neville...
TRANSCRIPT
1
Schlumberger PKI /Corporate Badge Deployment
Neville PattinsonDirector of Business Development & TechnologyIT & Public Sector
2
• Background• Overview of the PKI and Corporate Badge components• Applications• Deployment Status• Next Steps• Lessons Learned
Overview
3
Schlumberger. . . built on global technical services leadership
•Two Divisions:
•Oilfield Services
•SchlumbergerSema
•80,000 employees
•140 Countries
4
IT security: the business case
IT Security represents a huge opportunity to enhance SLB image as secure information provider and provide new ways of leveraging our services. IT Security poorly executed has the potential to destroy our business reputation. Two main priorities:
– Ensure the privacy and integrity of our client’s and our own systems and data.
– IT system availability is critical to our business.
5
IT security: facts
• Decentralized management needs to be responsible for the performance of a highly centralized IT Security system.
• SLB knowledge is a significant competitive advantage and needs to be protected
• People and process are more critical to IT Security than technology
• World Class as compared to “Silicon Valley” companies not traditional Oilfield competitors
6
A Corporate Badge?
• Passwords are expensive and provide poor security• Many different standards increase management complexity and help
desk support costs• Increasing network fraud, poor security around transactions and
messaging• Hard drive based security can be improved
=>One single ID card for both secure =>One single ID card for both secure physical and logicalphysical and logical access and access and providing providing portabilityportability and and nonnon--repudiationrepudiation..
7
Corporate Badge Solution(Dexa.Badge)
• Authentication• Authorization• Non-repudiation• Integrity• Confidentiality
• Global physical access
• Corporate ID
• Global PKI plus Smart Card
• Secure network logon and web access
• Signed/encrypted email and docs
• Smart Login (Secure password store)
• Card-based VPN
• Secure Dial-Up Access
• DoD CAC platform
8
PKI Corporate Badge Overview
Production CA + Firewall
Service Management Center Houston
Test CA LDAPDirectory
Service Management Center
Off-site Tape Storage
Tape Backup
Card IssuanceSystem
Master Users and PKI Support Team
Remedy EventTracking System
High Security CA Room
Registration Authority
Card and User ManagementService
End Userwith:•Standard PC
Regional Operations
Local Service Desk
Card Perso Service Desk
User Site
SSO or LRA
Aus ti n
Jero me De ni sAusti n Pro duc t Center
9
Card Issuance System
• Distributed issuing is essential for a ID Badge roll out– Web-based system for card issuance– Physical card issuance (card-user binding)– Central database for card history– Directory Interface
• Printing Stations (25)– Admin client– Camera– Printer
10
Card Management System• Essential for a smart card roll out
– Web-based system to address card related issues– Logical card issuance (initial PIN set up)– Issues applications such as PKI, SLB GINA, Smart Login– Automatic certificate request and load
• Runtime (Smart Card related)– PIN management with policy support– Unblocking
• Lifecycle– Lost card, Temporary card– Not tied to the Certificate Authority
11
PC Client Architecture
ReflexReader
Smart Card Middleware – Schlumberger SCUK
Credential StoreSmart Login
Card Management SystemCMS
PKI Client Suite – Entrust Entelligence
VP
N C
heck
Poi
nt
File/Folder Encryption
E-mail, FormsEncrypt/signWeb
Sec
ure
Dia
l-up
Acc
ess
Thin
Clie
nt A
uthe
ntic
atio
n
Sec
ure
PC
&N
etw
ork
Logi
n
12
Certificate CreationProcess
REGISTRATIONAUTHORITY (RA)
enab
les
Sends one time co
des (partia
l)
Encrypted
Identifies user
Request certifica tes
Sign
s
Subscriber agreement
files
Creates profile
Publishes
CIS
Request card
Site Security Officer
CACA
Gives the codes + (card)
LDAPLDAP
USER
13
Application: Virtual Private Networking
InternetInternet
Remote SLB user
Central OfficeEncryption Gateway
SVPN
Remote OfficeEncryption Gateway
Customer OfficeEncryption Gateway
SLB people
Contractor
CustomerEncryption Gateway
14
Application: Secure Dial-up Access
• Provides Smart Card based PKI authentication via dial-up connection• Secure Communication between Network Access Point (NAS) and
RADIUS• Uses industry standards to facilitate transition from existing methods• Performs Certificate Revocation List (CRL)
checking
15
ApplicationServers
PolicyServer
Authorization
Authentication
PublicKey Infrastructure
Username PasswordPIN & Digital Certificate
Application: Secure Web Access
EncryptionSSL 40 or 128 Bit
WebServers
Confidentiality
Integrity
Non Repudiation
Digital Signature
Digital Signature
16
• What to do while not all users of an application are deployed with PKI ?• Information Security Policy is key to guide efforts and spending• Transition Rules are required..• Some applications are difficult/costly to upgrade• Budget Allocation Issues – who pays for what ?
– Infrastructure, cards, applications, physical access,…
General PKI Application Issues
17
Physical Access Control
• One badge to access any facility or building worldwide– Mifare contactless technology– Compatible with most Physical Access Control vendors– Global “roaming”– Card issuance System plays a key role
• Today almost 100 facilities support the technology• Capital Intensive – you cannot replace everything• Globalization of the solution in progress
18
• About 35,000 Cyberflex Access cards issued• 21,000 + Active certificates • Users in 300+ locations worldwide• Target is between 25,000 and 30,000 PKI users by year end • 30 pki enabled web applications by end of July, 80 by EOY• 4,000 + VPN Users• Daily encrypted e-mail to top 1000 managers
Schlumberger Deployment Status
19
• PKI Corporate Badge is a “Living System”• Our IT Environment Evolves…
– Example: Windows 2000 Integration (Active Directory)• Optimize the registration processes• Focus on ease of use…• Continue Integration in Business Applications
– Secure offline content delivery– Electronic Signatures
• Moving towards Single Sign On
What is Next ?
20
• A PKI/Corporate Badge solution is a multi-year project which requires strong top Management Support
• Deploying PKI and Corporate Badge requires a thorough understanding of the business IT and platform strategy.
– Directory, PC platform, Operating Systems, e-mail– Networking
• Logistics are important !• Training, Training, Training…
Lessons Learned
21
Schlumberger PKI /Corporate Badge Deployment
Thank You
Austin
Neville PattinsonAustin Technical Center